XF 2.2 Authentication from a Node application

ppissanetzky

ppissanetzky

New member
I'm working on a Node application that is on the same domain as our forum. I'd like to authenticate every request to this application against the forum, to ensure the calling user is valid and get user information. My application has access to all the XF cookies in every request.

What I'm doing now is grabbing the xf_session cookie from the incoming request and then calling the auth/from-session endpoint with a super user key (and no user id header) to authenticate the user and get the information. This is not very reliable. I do not include any other cookies from the incoming request in this API request.

Some incoming requests are missing the xf_session cookie - presumably because it has expired but include the xf_user cookie. I see that visiting the forum in that case, a new session is created.

So, my question is, how should I go about doing this? How can I authenticate every request and get the calling user's info?
 
The xf_user cookie is the remember_cookie parameter that auth/from-session takes. So the best way to handle this is to pass both the session cookie and remember cookie values into the endpoint. The code will look at the session ID first (if provided). If it doesn't resolve to a valid session, it will then look at the remember cookie to see if that points to a valid user. If neither work, it will return a failure (success=false).
 
You must log in or register to reply here.

Similar threads

C
  • Solved
XF 2.2 Authenticating to XF from standalone php app
Replies
2
Views
252
chris p
C
Kleazy
Code Request: Write a cookie if specific user group.
Replies
2
Views
320
Kleazy
Kleazy
⭐ Alex ⭐
  • Solved
XF 2.2 Is There Still a Reason to Not Use SameSite Strict or Lax for Cookies?
Replies
8
Views
462
⭐ Alex ⭐
⭐ Alex ⭐
K
Possible security issue: API Login Token always allows permanent login
Replies
0
Views
411
Kirby
K
L
XF 2.2 Xenforo Login Issues
Replies
0
Views
264
leebo
L
Top Bottom